[PATCH v3 2/2] binman: add fast authentication method for i.MX8M signing

Simon Glass sjg at chromium.org
Mon Sep 30 20:52:16 CEST 2024


Hi Brian,

On Mon, 30 Sept 2024 at 10:10, Brian Ruley <brian.ruley at gehealthcare.com> wrote:
>
> Using the PKI tree with SRKs as intermediate CA isn't necessary or even
> desirable in some situations (boot time, for example). Add the possibility

spelling

> to use the "fast authentication" method where the image and CSF are both
> signed using the SRK [1, p.63].
>
> [1] https://community.nxp.com/pwmxy87654/attachments/pwmxy87654/imx-processors/202591/1/CST_UG.pdf
>
> Signed-off-by: Brian Ruley <brian.ruley at gehealthcare.com>
> Cc: Marek Vasut <marex at denx.de>
>
>  tools/binman/etype/nxp_imx8mcst.py | 23 +++++++++++++++++++----
>  1 file changed, 19 insertions(+), 4 deletions(-)

That should be below the --- (you can use patman to get this right
automatically)
> ---
>  tools/binman/etype/nxp_imx8mcst.py | 44 ++++++++++++++++++++++--------
>  1 file changed, 32 insertions(+), 12 deletions(-)
>
> diff --git a/tools/binman/etype/nxp_imx8mcst.py b/tools/binman/etype/nxp_imx8mcst.py
> index 0c744a00d7..a80cb94499 100644
> --- a/tools/binman/etype/nxp_imx8mcst.py
> +++ b/tools/binman/etype/nxp_imx8mcst.py
> @@ -36,6 +36,9 @@ csf_config_template = '''
>    File = "SRK_1_2_3_4_table.bin"
>    Source index = 0
>
> +[Install NOCAK]
> +  File = "SRK1_sha256_4096_65537_v3_usr_crt.pem"
> +
>  [Install CSFK]
>    File = "CSF1_1_sha256_4096_65537_v3_usr_crt.pem"

Since 'sha256_4096_65537_v3_usr_crt.' is common to everything, could
you have a variable, say keyname, and use that everywhere?

>
> @@ -74,16 +77,25 @@ class Entry_nxp_imx8mcst(Entry_mkimage):
>                              self._node, 'nxp,srk-table',
>                              'SRK_1_2_3_4_table.bin'
>                           ))
> -        self.csf_crt = os.getenv(
> -            'CSF_KEY', fdt_util.GetString(
> -                           self._node, 'nxp,csf-crt',
> -                           'CSF1_1_sha256_4096_65537_v3_usr_crt.pem'
> -                       ))
> -        self.img_crt = os.getenv(
> -            'IMG_KEY', fdt_util.GetString(
> -                           self._node, 'nxp,img-crt',
> -                           'IMG1_1_sha256_4096_65537_v3_usr_crt.pem'
> -                       ))
> +        self.fast_auth = fdt_util.GetBool(self._node, 'nxp,fast-auth')
> +        if not self.fast_auth:
> +            self.csf_crt = os.getenv(
> +                'CSF_KEY', fdt_util.GetString(
> +                               self._node, 'nxp,csf-crt',
> +                               'CSF1_1_sha256_4096_65537_v3_usr_crt.pem'

e.g. f'CSF1_1_{keyname}'

> +                           ))
> +            self.img_crt = os.getenv(
> +                'IMG_KEY', fdt_util.GetString(
> +                               self._node, 'nxp,img-crt',
> +                               'IMG1_1_sha256_4096_65537_v3_usr_crt.pem'
> +                           ))
> +        else:
> +            self.srk_crt = os.getenv(
> +                'SRK_KEY', fdt_util.GetString(
> +                               self._node, 'nxp,srk-crt',
> +                               'SRK1_sha256_4096_65537_v3_usr_crt.pem'
> +                           ))

All three options seem to read the 'nxp,srk-crt' property, so you can
do that once the if() to reduce the amount of duplicated code.

> +
>          self.unlock = fdt_util.GetBool(self._node, 'nxp,unlock')
>          self.ReadEntries()
>
> @@ -137,8 +149,16 @@ class Entry_nxp_imx8mcst(Entry_mkimage):
>          # Load configuration template and modify keys of interest
>          config.read_string(csf_config_template)
>          config['Install SRK']['File'] = '"' + self.srk_table + '"'

This is what I mean by the f-string:

f'"{self.srk_table}"'

> -        config['Install CSFK']['File'] = '"' + self.csf_crt + '"'
> -        config['Install Key']['File'] = '"' + self.img_crt + '"'
> +        if not self.fast_auth:
> +            config.remove_section('Install NOCAK')
> +            config['Install CSFK']['File'] = '"' + self.csf_crt + '"'
> +            config['Install Key']['File'] = '"' + self.img_crt + '"'
> +        else:
> +            config.remove_section('Install CSFK')
> +            config.remove_section('Install Key')
> +            config['Install NOCAK']['File'] = '"' + self.srk_crt + '"'
> +            config['Authenticate Data']['Verification index'] = '0'
> +
>          config['Authenticate Data']['Blocks'] = (hex(signbase) + ' 0 '
>                                                   + hex(len(data)) + ' "'
>                                                   + str(output_dname) + '"')

Can use f-strings here too, e.g.

f'{signbase:#x} 0 {len(data):#x} ...

> --
> 2.39.5
>

Regards,
Simon


More information about the U-Boot mailing list